Install LEDE on a Linksys WRT1200AC router

The Linksys WRT1200AC is one of the latest successors to the legendary WRT54G that sparked the OpenWRT Linux based router firmware. Linksys claims that the WRT1200AC is "developed for use with OpenWRT", so it seems like a safe bet for anyone who wants to run Linux on their router.

Reality has it that Linksys and the Wi-Fi chip vendor Marvell didn't release an open source Wi-Fi driver until half a year after launching the router, but eventually support for the Linksys WRT1200AC has matured and it seems to be gaining in popularity with the LEDE community.

LEDE is a project that spawned from OpenWRT. Many of the original developers from OpenWRT jumped ship and the LEDE project's support for Linksys WRT1200AC is far ahead while it seems to have stalled in the OpenWRT project.

Taking the red pill

One of the key benefits of running Linux on your router is that you take back control of what essentially is the front door to your home network.

A lot of ISPs around the world provide their customers with routers that support TR-069, a feature that allows the ISP to log into your network at their discretion. Most often this feature cannot be disabled and as a customer you don't know if they store the key safely and how and when they use it and if they share it with anyone.

Some routers also have remote management capabilities that compel the customer to store the login and password in the vendor's cloud.

These features do not make a secure network and on top of that the stock firmware of many routers are riddled with security vulnerabilities and even factory backdoors. TCP-32764 is one of the more infamous factory backdoors because many vendors were implicated, Linksys too, and when the backdoor was discovered the vendors just tried to obfuscate the backdoor rather than close it.

With a LEDE firmware you don't hand over the keys to your network to anyone else and the source code is open for all to inspect.

Configurability

Another key benefit of running Linux on your router is the ease of installing and removing features with some 3500 packages to choose from. The package manager opkg will have a familiar feel if you are already used to package managers such as Ubuntu's apt. And let's not forget the cool-factor of logging into your router with SSH and having a Linux shell at your disposal.

The web interface LuCI is also quite capable and provides features and diagnostics beyond those offered by the stock firmware.

Prerequisites

Obviously you need a Linksys WRT1200AC and an external modem. Typically your ISP can provide you with a modem so I'm not going to cover the modem in this post. Further more the installation can only be performed from a PC that is connected to the router through an Ethernet cable. The reason being that it is safer and the Wi-Fi radios are not enabled by default after flashing the LEDE firmware leaving us with no other option than to do the initial Wi-Fi configuration through a cabled connection.

Download the LEDE firmware

To download the LEDE firmware for the WRT1200AC go to the LEDE table of hardware and filter the rows by model name "WRT1200AC".

Click View/Edit data in the last column and download the factory image from the Firmware LEDE install URL. In general the factory image files are for flashing from the stock OEM to a LEDE firmware, where as the sysopgrade bin files are for upgrading from one LEDE firmware to another LEDE firmware.

Flash the firmware

From a PC connected to the router with an Ethernet cable, open a browser and point it to http://192.168.1.1/. Sign in locally and open the Connectivity page. Click Choose File and select the factory image file you downloaded. The router will warn about unrecognized filename format but go on and flash the image. Be patient, the router reboots automatically when it's done.

Change the root password

After flashing the firmware both WiFi radios are disabled. We must change the router's root password before enabling the radios.

Stable releases bundle the LuCI web interface while snapshots don't. If you followed the firmware link above, then you have the stable release and can change the password through LuCI. If you installed a snapshot then the password is changed though SSH. Both methods are described below.

Stable release

Open the LuCI web interface at http://192.168.1.1 and sign in as root with a blank password.

Select the page System->Administration from the dropdown menu and change the password. Then click Save & Apply.

Snapshot release

The router is accessed using an OpenSSH client (or Putty if you are on Windows).

SSH into the router and change the root password.

$ ssh root@192.168.1.1$ passwd

Then install the LuCI web interface using the routers package manager.

$ opkg update
$ opkg install luci

Start the HTTP service.

$ /etc/init.d/uhttpd start
$ /etc/init.d/uhttpd enable

Configure and enable the wireless network

In this section we configure the 2.4GHz radio for maximum compatibility with older devices and the 5GHz radio for maximum speed with 802.11ac.

On the PC still connected through the Ethernet cable open a browser and point it to the LuCI web interface at http://192.168.1.1/

Open the menu "Network->Wireless" and edit the Marvell 88W8864 802.11bgn (radio1). This is the 2.4GHz radio that supports older Wi-Fi protocols. Set mode to "Legacy" for maximum compatibility with older devices and set the Channel to "Auto". Click Save.

Then click the Advanced Settings tab and select your country code to comply with national regulation for wireless networks. Click Save.

Finally click the tab "Wireless security". Set Encryption to "WPA2-PSK" and enter a new Key to access to the wireless network. Then click Save & Apply.

Go back to the menu "Network->Wireless" and select the other radio Marvell 88W8864 802.11nac (radio0). The configuration of this radio should be almost identical to the first radio except this time we set the mode to "AC".

Save & Apply again.

Then return to the "Network-Wireless" menu and click the "Enable" button on both radios.

At this point the Wi-Fi is operational! You can disconnect the Ethernet cable and connect over Wi-Fi.

Enable Wi-Fi Protected Setup (WPS button)

Some devices such as wireless printers can only join the network using the WPS button. WPS is not enabled by default in the stock LEDE image.

Open a SSH connection to the router:

$ ssh root@192.168.1.1

Open the /etc/config/wireless file.

$ vim /etc/config/wireless

Press i to enter insert mode. Insert the following line in the section starting with "config wifi-iface 'default-radio1'".

option wps_pushbutton '1'

Press ESC to exit insert mode and type :wq to write the file and quit.

Now printers can join the network simply by pressing the WPS button on the printer and the WPS button on the router (located on the back panel of the router).

Network printers need a fixed IP address. Open the menu "Network-DHCP and DNS" and scroll to the last section Static leases. Press the button Add and enter the MAC address of the printer and an IP address in the 192.168.1.x range, for instance the IP that was already dynamically assigned to the printer.

Keeping packages up to date

Packages installed through OPKG (including bundled packages such as the LuCi web interface) can be upgraded using the following command.

$ opkg upgrade <package>

However having to name the packages explicitly is not very practical when we want keep all installed packages up to date. Instead we can use the script opkg-upgrade.sh available from https://github.com/tavinus/opkg-upgrade. Here's how to install it.